[Samba] Sysvol issues after DC migration

Rowland penny rpenny at samba.org
Tue Mar 16 10:09:00 UTC 2021

On 16/03/2021 08:58, Oleg Blyahher via samba wrote:
> I've removed uidNumber from the Administrator user (it had 2500). 
> Still getting the same "Access is denied" when trying to change 
> things, and can't set the owner.
> The Administrator user also has the gidNumber 512, if that helps 
> anything.

It sounds like someone has given everything a uidNumber or gidNumber, 
try checking the following users for a uidNumber or gidNumber attribute:


Remove any that you find. Do the same for these groups:

cert publishers
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
enterprise read-only domain controllers
domain admins
domain guests
domain computers
domain controllers
schema admins
enterprise admins
group policy creator owners
read-only domain controllers

Then run 'net cache flush' on all Unix domain members.

If you still cannot use  Administrator to change things on a Samba DC, 
then check if idmap.ldb contains an object similar to this:

dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
xidNumber: 0
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500

Where 'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is your domain SID


More information about the samba mailing list